Stale dates in the "Last Detected" column

A regularly scheduled scan ran early this week (5/18). The boxes in the scan have all been up and have not been patched, rebooted, or down. What does "Last Detected" mean in this context? These alleged vulns are showing up as "New" because they were only detected once. But I'm pretty confident nothing changed on the boxes, so why weren't they detected in subsequent scans?

Upon review of your report data, the very first thing I noticed is while these are indeed servers, they are also AWS EC2 instances. What is your level of confidence 1) these instances are still running week over week, and 2) on the same IP address as last reported? AWS instances can be running one moment and terminated the next. What effort are you putting forth to assess the instance state(s) in your AWS cloud environment?

I have forwarded the information herein to your TAM for a 1-on-1 follow-up.

In addition to working with your TAM and/or Qualys Support, I would like to strongly recommend visiting our free training and documentation pages at your convenience:

Based on another of Chris Knox' posts, I don't believe (but I could be wrong) you are both talking about the same thing. I believe, in Chris' case, there may be a product training and experience issue at play.

Without review the report in its entirety, I can only guesstimate the possibilities based on my personal hands-on experience.

This happens most often when there are asset management challenges within your subscription; most frequently when you have IP tracked assets in a DHCP environment.

Example:

On Tuesday May 19, IP address 10.10.1.1 was assigned to a Windows 10 Laptop.

On Tuesday May 26, IP address 10.10.1.1 was assigned to a Macbook Pro.

When you review the detections for 10.10.1.1 you will find:

The detections for Windows will have a last detected date of May 19.

The detections for Mac OSX will have a first AND last detected date of May 26.

Again, it would be best to have the report reviewed in its entirety to know for certain. Either way, there are multiple ways to address this issue which you can discuss with your Technical Account Manager to decide what will work best for your subscription.

The addresses in question belong to servers. The are definitely not DHCP. We do have some assets that will be moving to AWS where Asset Tagging will come into play, but these boxes are all RHEL with static IPs. They have been up, in some cases, for months and there have been no network outages.

Upon review of your report data, the very first thing I noticed is while these are indeed servers, they are also AWS EC2 instances. What is your level of confidence 1) these instances are still running week over week, and 2) on the same IP address as last reported? AWS instances can be running one moment and terminated the next. What effort are you putting forth to assess the instance state(s) in your AWS cloud environment?

I have forwarded the information herein to your TAM for a 1-on-1 follow-up.

In addition to working with your TAM and/or Qualys Support, I would like to strongly recommend visiting our free training and documentation pages at your convenience:

We use the Remediation module and the remediation tickets. The strange thing about what we are seeing is the effected remediation tickets (4 that we know of) show the same First Detected and Last Detected dates and the tickets are still open. However, the QID's do not show up in the AV or CA module. This is what I have a support case open for over a month now.

I have tried to manually network scan the assets and it did not change anything. Since the reporting is done out of the VM module, the tickets were overdue even though I believe these are remediated. After the full network scan I pushed the dates out further and the first and last detected still did not change.

If I can't get support to assist in this, I can delete the tickets and then re-scan the assets. This should fix it, however, I don't to fix this, support should fix it because I think the issue is on the Qualys back-end. Plus, I don't know how many are in this state and if Qualys fixes this, it should fix it for all of them.